如何获取带通配符的Let’s encrypt发行的SSL证书

By | 2022-12-22
0 Comment

  通常情况下,可以为每一个子域名申请一个“Let‘s encrypt”发行的免费SSL证书,但这样会带来管理上的麻烦。为了方便管理,我们可以申请一个支持通配符的“Let‘s encrypt”发行的SSL证书。其方法与申请单一域名的SSL证书有所不同。

  在这里我们仍只介绍在Linux服务器上安装的方法。  

1 安装“Cerbot”客户端与“modssl”模块

  首先,需要检查是否安装“Cerbot”客户端与“modssl”模块。如果还没有安装,请参考本站“如何获取Let’s encrypt发行的免费SSL证书”一文的内容。

2 安装带通配符的“Let‘s encrypt”SSL证书

  安装方法参照如下。

[root@usite ~]# certbot certonly --manual \
--server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns \
-d *.DomainName -d DomainName \
-m UMail@Address \
--agree-tos \
--manual-public-ip-logging-ok  ← 获取带通配符SSL证书

示例说明:
DomainName:usite.com
UMail@Address:自已的邮箱地址

Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Use of --manual-public-ip-logging-ok is deprecated.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/usite.com.conf)
It contains these names: usite.com
You requested these names for the new certificate: *.usite.com, usite.com.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E  ← 覆盖现在的SSL证书
Renewing an existing certificate for *.usite.com and usite.com
Performing the following challenges:
dns-01 challenge for usite.com
dns-01 challenge for usite.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.usite.com with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-dXXxxxXXxxoio

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue  ← 按回车键前先登记上述TXT信息,具体方法见后述

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.usite.com with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-aXXxxxXXxx4Bs

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue  ← 按回车键前先登记上述TXT信息,具体方法见后述
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/usite.com/fullchain.pem  ← 获得的SSL证书
   Your key file has been saved at:
   /etc/letsencrypt/live/usite.com/privkey.pem  ← 获得的私有键
   Your certificate will expire on 2023-03-22. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3 在域名服务器登记验证信息的方法

  登入自已网站的域名服务器,按上述“2”的提示,分别登记相应的验证信息。其形式参考以下内容。

txt _acme-challenge.usite.com xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-dXXxxxXXxxoio
txt _acme-challenge.usite.com xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-aXXxxxXXxx4Bs

  登记结果可通过命令“nslookup”来检查。其命令参考如下。确认登记的验证码后,执行上述2的操作,按下回车键。

[root@usite ~]# nslookup -q=txt _acme-challenge.usite.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
_acme-challenge.usite.com      text =

        "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-dXXxxxXXxxoio"
_acme-challenge.usite.com      text =

        "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-aXXxxxXXxx4Bs"

4 设置Apache服务器

  获得SSL证书后,需要在Apache服务器上对SSL证书进行设置,其方法参考如下。

[root@usite ~]# vi /etc/httpd/conf.d/ssl.conf  ← 修改SSL设置文件
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/usite.com/cert.pem  ← 设置公开键

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/usite.com/privkey.pem  ← 设置私有键

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
SSLCertificateChainFile /etc/letsencrypt/live/usite.com/fullchain.pem  ← 设置证书

  完成上述设置后,需要重载Apache服务器,其方法参考如下。

[root@usite ~]# systemctl reload httpd  ← 重载Apache服务器

  通过以上的方法可以获取免费的带通配符的“Let‘s encrypt”发行的SSL证书,并完成对证书的设置。本文参考了以下网页:

  • https://ex1.m-yabe.com/archives/4647
  • https://laboradian.com/use-wildcard-with-letsencrypt/